Wireless provisioning device

ABSTRACT

A wireless provisioning device (WPD) is a computer data traffic management system capable of routing TCP/IP traffic using 2.4 Ghz equipment. This WPD is to be strategically placed in logical segment regions within a wireless network to facilitate data traffic management. This device acts to provide connectivity between wireless backbone access points. The device may also be located within customer local area network (LAN) while providing connectivity to a wide area network (WAN). The wireless device has seven total wireless segments. The wireless device is capable of filtering IP addresses, controlling firewall and/or router and/or bridge. The wireless provisioning device increases effective throughput of TCP/IP traffic over the WAN or LAN while providing for secure management and greater connectivity.

FIELD OF THE INVENTION

The present invention relates to telecommunications gear, and morespecifically, in the preferred form, to wireless provisioning devicescapable of routing TCP/IP traffic using 2.4 Ghz equipment.

BACKGROUND OF THE INVENTION

Until recently, Internet connectivity was restricted to hard-wiredconnections to the Internet cloud. With the advent of stronger 2.4 Ghzantennae it became more practical to administer wireless connections tocomputers that would eventually connect back to the Internet cloud. Asthe speed of the wireless equipment increased, it became more costeffective to provide wireless connections to the user than cabling. As aresult, attempts were made to replace wired Wide-area networks (WANs)with high-speed wireless connections.

Presently, wireless equipment only offers bridging solutions. Thesewireless bridges contain either one or two wireless cards, depending onmanufacturer, and one wired connection. In some cases there are twowireless cards and one wired connection. However, in this rapidlyexpanding telecommunications landscape, it may prove necessary to have 3or 4 wireless connections and 3 or 4 wired connections. Although abridge is a good way to connect two or three Local-area networks (LANs)together, the overhead of bridging will not function for an extensiveWAN because current routing logic has a theoretical breakdown at 3 to 5bridges. As a result, present day 2.4 Ghz wireless connection pointsprovide bridging solutions that greatly restrict the ability of the userto place wireless equipment in a wide area network. 2.4 Ghz wirelessequipment is designed to create hubbed LANs and to bridge together twoor more small LANs. It was not designed to work in a public domain WANenvironment.

Additionally, current wireless connections were designed for indoor useand security is only associated with the network name. Alternatively,the system may be held closed through the use of Media access control(MAC) addressing. Despite the wireless function, such LAN solutionsassumed that the connections back to the wireless access point wererelatively few in number and that the connections were somewhatstationary. As a result, the MAC filtering is housed resident on theaccess connection point. The connection point typically requiresrebooting before the new access list may take effect. In addition, thereare a finite number of MAC addresses that may be placed on theconnection point. This effectively limits the number of roamingcustomers that may be added to the system. Each time a new member isadded, every connection point in the network must be updated andrebooted.

In order to manage a wireless connection point, Simple NetworkManagement Protocol (SNMP) became the standard method for data transfer.To modify the MAC filter, the administrative password for the accessconnection point is passed along the network. This password is passed inclear text. Without secure shell connections this clear text messagebecomes easy to intercept for anyone connected to the WAN. Once theadministrative password is breached the whole system becomescompromised. Earlier systems prevented this by providing only thosewithin the organization the network name. Without the network name,wireless cards will not connect with the connection point. In a publicdomain environment the network name will be common to all those that usethe service, which makes unauthorized access relatively simple.

There is a need for a piece of wireless equipment that can be used toeffectively connect a large WAN. There is also an existing need for awireless provisioning device that provides network routing at the sourceand security measures through the network. There is an additional needfor 2.4 Ghz wireless connection points that provide bridging solutionsthat afford the user the ability to place wireless equipment in a widearea network. There is yet another existing need for wirelessconnections designed for outdoor use and flexible security.Additionally, there remains a need for a system that can accommodatemultiple connections back to the wireless access point without requiringrebooting before the new roaming members can be added to the system.

SUMMARY OF THE INVENTION

The present invention provides a wireless provisioning device capable ofrouting TCP/IP traffic using 2.4 Ghz equipment. This device is to bestrategically placed in logical segment regions within a wirelessnetwork to facilitate data traffic management. This device acts toprovide connectivity between wireless backbone access points. The devicemay also be located within customer LANs while providing connectivity toa WAN. In a preferred embodiment, the wireless device has seven totalwireless segments. The wireless device is capable of filtering IPaddresses, controlling firewall and/or router and/or bridge needs andincreases effective throughput of TCP/IP traffic over the WAN or LANwhile providing for secure management and greater connectivity.

It is a primary objective of the present invention to provide a piece ofwireless equipment that can be us ed to effectively connect a large WAN.

It is another objective of the present invention to provide a wirelessprovisioning device that provides network routing at the source andsecurity measures through the network. The solution is to provide secureconnections between wireless access points and to points that requireadministrative connections.

Yet another objective of the present invention is to provide 2.4 Ghzwireless connection points that provide bridging solutions that affordthe user the ability to place wireless equipment in a WAN.

Still another objective of the present invention is to provide wirelessconnections designed for outdoor use and flexible security. The presentinvention achieves the above objective through each of severalembodiments, particularly, by radius authentication. Radiusauthentication is a more universal, more flexible and more secure methodof authentication. The authentication process is done with secureconnections to a central server. If for some reason security is breachedthen the username and password can be changed on the server side througha database change as opposed to a hardware change. By incorporating anew operating system with the use of the present wireless cards,wireless devices can be configured for logical management through secureconnections. Furthermore, radius authentication can pass securelythrough the wireless device into the secure network.

An additional objective of the present invention is to provide a systemthat can accommodate multiple connections back to the wireless accesspoint without requiring rebooting before the new roaming members can beadded to the system.

In accomplishing these and other objectives, there has been provided, inaccordance with one aspect of the present invention, a wirelessprovisioning device that can route at the node providing for lowernetwork overhead and stabilizing the network into a durable redundantWAN.

Further objects, features and advantages of the invention will beapparent from the following detailed description taken in conjunctionwith the accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a schematic diagram of a wireless provisioning device inaccordance with the present invention.

FIG. 2 is a schematic diagram of a two slot wireless device embodimentin accordance with the present invention.

FIG. 3 is a schematic diagram of a wireless provisioning system inaccordance with the present invention.

DETAILED DESCRIPTION OF THE INVENTION

The Provisioning device system, in accordance with the present inventioncomprise a plurality of wireless access points; a wireless provisioningdevice for receiving, transmitting, and directing data over a pluralityof networks and capable of sustaining connectivity between the wirelessaccess points and the wireless provisioning device, the wirelessprovisioning device comprising a chassis, at lease one network card, atleast one wireless card, at least one processor, and at least oneoperating system operable configured in the chassis and associated withat least one of the plurality of wireless access points for transmittingand receiving data between the wireless access point and a carrierstructure and where the wireless provisioning device is capable ofaccommodating multiple connections back to the wireless access pointwithout requiring rebooting before a new roaming member can be added tothe system; a carrier structure communicably positioned between thewireless provisioning device and the plurality of wireless access pointsfor transmitting and receiving data between the wireless provisioningdevice and the plurality of wireless access points by means of a secureconnection; and a security authentication protocol capable ofauthenticating traffic as it passes through the carrier structure.

The following terms are used in this application:

Access Point: On a network, a device designed to allow computers thatare not part of a network to connect to and communicate with thenetwork. The primary function of an access point is to provide a pointof access for those unconnected computers.

Authentication: A system of measures for keeping information on a systemsafe from corruption or prying eyes. In networks, the procedure by whicha computer verifies user identification. The most common form involvesthe comparison of a logon name and password to a stored file of approveduser names and passwords. Any differences between the two will prohibitthe user from accessing the information.Bridge: Links networks so that data from one network can pass throughanother network on its way to still another network.Datagram: A single unit of data, including its destination information,which is transmitted through a network.Directory Service Member: A network management system, located on oneenterprise capable computer. This computer maintains a databasedirectory that stores all information from billing to authenticationprivileges for those on the network. Specifically this machine recordsMAC addresses and billing profiles for those in the system. Thiscomputer is a central repository that controls users access, systemprivileges and payment status.Dynamic Host Configuration Protocol (DHCP): An Internet protocol forautomating the configuration of computers that use TCP/IP. DHCP can beused to automatically assign IP addresses, to deliver TCP/IP stockconfiguration parameters, and provide other information such as theaddresses for auxiliary servers.Gateway: A complex internetworking device that converts information fromone protocol to another. Gateways transfer information between networksthat use different communications protocols. The gateway actually tearsdown the information from one service and restructures it in the othernetwork's protocol format. Gateways include all hardware and softwareused to link dissimilar network operating systems (NOS) or to linklocal-area networks (LANs) to mainframes or wide-area networks (WANs).Gateways also are used in electronic mail (E-mail) to convert messagesbetween services using different E-mail protocols.Graphical User Interface (GUI): A GUI uses graphical symbols, calledicons, and menu to carry out commands.Local-Area Network (LAN): A group of computers, usually in one buildingor office, physically connected in a manner that lets them communicateand interact with each other. For a network to operate, it needs aserver, which is a computer that holds data used by the differentcomputers on the network. Some of the benefits of a network connectioninclude the ability to share document files and expensive equipment.Networks can be connected using different combinations of topologies,protocols, software and hardware. A network that uses radiotransmissions instead of cables to connect computers may be called alocal-area wireless network.Media Access Control (MAC): The protocol that determines thetransmission of information on a network.Node: Any device that can communicate with other computers in a group ofinterconnected computers. Usually, a node refers specifically to acomputer system (CS) or terminal that is part of a network.Packet: A block of data transmitted from one computer to another on anetwork or on the Internet. A packet contains three parts: the data tobe transmitted, the data needed to guide the packet to its destination,and the data that corrects errors that occur along the way. Severalpackets make up a typical transmission. The computer splits up thetransmission at the transmission point and reassembles it at thedestination point.Protocol: A set of rules and procedures for exchanging data betweencomputers on a network or through the Internet. Protocol usuallyincludes information or error checking, data compression, and sendingand receiving messages.Router: The part of a communications network that receives transmissionsand forwards them to their destinations using the shortest routeavailable. Data may travel through multiple routers on the way to itsdestination.Simple Network Management Protocol (SNMP): It exchanges networkinformation through messages technically known as protocol date units(PDUs).Telnet: Terminal emulation in which a user is connected to a remote hostusing an Internet account as if the user were directly connected to thehost, such that a connectivity session continues as if the user was at aterminal connected to the host, though the user is actually connected toanother site, using the Internet to connect to the host.Topology: The physical configuration of a network that determines howthe network's computers are connected.Transmission Control Protocol/Internet Protocol (TCP/IP): A languagegoverning communication among all computers on the Internet. TCP/IP istwo separate protocols, TCP and IP, that are used together. The InternetProtocol portion of the standard dictates how packets of information aresent out over networks. IP has a packet-addressing method that lets anycomputer on the Internet forward a packet to another computer that is astep or more closer to the packet's recipient. The Transmission ControlProtocol ensures the reliability of data transmissions acrossInternet-connected networks. TCP checks packets for errors and submitsrequests for retransmission if errors are found; it also will return themultiple packets of a message into the proper, original sequence whenthe message reaches its destination.Wide-Area Network (WAN): A collection of computers connected ornetworked to each other over a geographic area. WANs usually requirespecial arrangements with telephone companies because data istransmitted among locations (called sites) across telephone lines.

A computer network is simply a collection of autonomous computersconnected together to permit sharing of hardware and software resources,and to increase overall reliability. The qualifying term “local area” isusually applied to computer networks in which the computers are locatedin a single building or in nearby buildings, such as on a college campusor at a single corporate site. When the computers are further apart, theterm “wide area network” is used, but the distinction is one of degreeand the definitions sometime overlap.

A bridge is a device that is connected to at least two LANs and servesto pass message frames or packets between LANs, such that a sourcestation on one LAN can transmit data to a destination station on anotherLAN, without concern for the location of the destination. Bridges areuseful network components, principally because the total number ofstations on a single LAN is limited. Bridges can be implemented tooperate at a selected layer of protocol of the network.

At the heart of any computer network is a communication protocol. Aprotocol is a set of conventions or rules that govern the transfer ofdata between computer devices. The simplest protocols define only ahardware configuration, while more complex protocols define timing, dataformats, error detection and correction techniques and softwarestructures.

Computer networks almost universally employ multiple layers ofprotocols. A low-level physical layer protocol assures the transmissionand reception of a data stream between two devices. Data packets areconstructed in a data link layer. Over the physical layer, a network andtransport layer protocol governs transmission of data through thenetwork, thereby ensuring reliable data delivery.

A model for network architectures has been proposed and widely accepted.It is known as the International Standards Organization (ISO) OpenSystems Interconnection (OSI) reference model. The OSI reference modelis not itself a network architecture. Rather it specifies a hierarchy ofprotocol layers and defines the function of each layer in the network.Each layer in one computer of the network carries on a conversation withthe corresponding layer in another computer with which communication istaking place, in accordance with a protocol defining the rules of thiscommunication. In reality, information is transferred down from layer tolayer in one computer, then through the channel medium and back up thesuccessive layers of the other computer. However, for purposes of designof the various layers and understanding their functions, it is easier toconsider each of the layers as communicating with its counterpart at thesame level, in a “horizontal” direction.

The lowest layer defined by the OSI model is called the physical layer,and is concerned with transmitting raw data bits over the communicationchannel. Design of the physical layer involves issues of electrical,mechanical or optical engineering, depending on the medium used for thecommunication channel. The layer next to the physical layer is calledthe data link layer. The main task of the data link layer is totransform the physical layer, which interfaces directly with the channelmedium, into a communication link that appears error-free to the nextlayer above, known as the network layer. The data link layer performssuch functions as structuring data into packets and attaching controlinformation to the packets.

Although the data link layer is primarily independent of the nature ofthe physical transmission medium, certain aspects of the data link layerfunction are more dependent on the transmission medium. For this reason,the data link layer in some network architectures is divided into twosublayers: a logical link control sublayer, which performs allmedium-independent functions of the data link layer, and a MAC sublayer.This sublayer determines which station should get access to thecommunication channel when there are conflicting requests for access.The functions of the MAC layer are more likely to be dependent on thenature of the transmission medium.

The basic function of a bridge is to listen “promiscuously,” i.e., toall message traffic on all LANs to which it is connected, and to forwardeach message it hears onto LANs other than the one from which themessage was heard. Bridges also maintain a database of stationlocations, derived from the content of the messages being forwarded.Bridges are connected to LANs by paths known as “links.” After a bridgehas been in operation for some time, it can associate practically everystation with a particular link connecting the bridge to a LAN, and canthen forward messages in a more efficient manner, transmitting only overthe appropriate link. The bridge can also recognize a message that doesnot need to be forwarded, because the source and destination stationsare both reached through the same link. Except for its function of“learning” station locations, or at least station directions, the bridgeoperates basically as a message repeater.

As network topologies become more complex, with large numbers of LANs,and multiple bridges interconnecting them, operational difficulties canensue if all possible LAN bridging connections are permitted. Inparticular, if several LANs are connected by bridges to form a closedloop, a message may be circulated back to the LAN from which it wasoriginally transmitted, and multiple copies of the same message will begenerated. In the worst case, messages will be duplicated to such adegree that the networks will be effectively clogged with these messagesand unable to operate at all.

Internet is a collection of networks, including Arpanet, NSFnet,regional networks, local networks at a number of university and researchinstitutions, and a number of military networks. The protocols generallyreferred to as TCP/IP were originally developed for use only throughArpanet and have subsequently become widely used in the industry. Theprotocols provide a set of services that permit users to communicatewith each other across the entire Internet. The specific services thatthese protocols include file transfer, remote log-in, remote execution,remote printing, computer mail, and access to network file systems.

The basic function of the Transmission Control Protocol (TCP) is to makesure that commands and messages from an application protocol, such ascomputer mail, are sent to their desired destinations. TCP keeps trackof what is sent, and retransmits anything that does not get to itsdestination correctly. If any message is too long to be sent as one“datagram,” TCP will split it into multiple datagrams and makes surethat they all arrive correctly and are reassembled for the applicationprogram at the receiving end. Since these functions are needed for manyapplications, they are collected into a separate protocol (TCP) ratherthan being part of each application. TCP is implemented in the transportlayer of the OSI reference model.

The Internet Protocol (IP) is implemented in the network layer of theOSI reference model, and provides a basic service to TCP: deliveringdatagrams to their destinations. TCP simply hands IP a datagram with anintended destination; IP is unaware of any relationship betweensuccessive datagrams, and merely handles routing of each datagram to itsdestination. If the destination is a station connected to a differentLAN, the IP makes use of routers to forward the message. TCP/IPfrequently uses a slight deviation from the seven-layer OSI model inthat it may have fewer layers. The seven layers are as follows:

Layer 7—The Application Layer. Identifies communications partners, usersecurity, and authentication, as well as specific details about syntaxof a transmission. Examples of Layer 7 protocols are File TransferProtocol (FTP), Simple Mail Transfer Protocol (SMTP) and telnet.

Layer 6—The Presentation Layer. Governs the translation of atransmission from data to text, depending on the software application inuse. Control is generally vested in the operating system that deals withspecific aspects of data through protocols such as Moving PicturesExperts Group (MPEG) and Joint Photographic Experts Group).

Layer 5—The Session Layer. Establishes communications between parties toboth ends of a session, then terminates them when transmission iscomplete, via protocols such as AppleTalk and Session Control Protocol(SCP).

Layer 4—The Transport Layer. In this layer, Transmission ControlProtocol (TCP) and Name Binding Protocol (NBP) add transport data to thepacket and pass it to layer 3.

Layer 3—The Network/Internet Layer. When an action is initiated on alocal host (or initiating host) that is to be performed or responded toon a remote host (or receiving host), this layer takes the package fromlayer 4 and adds IP information before passing it to layer 2. By way ofprotocols such as Border Gateway Protocol (BGP) or Routing InformationProtocol (RIP), identifies a transmission's intended recipient based onspecific network protocols and controls the route each packet of data,in the complete transmission, takes on its journey.

Layer 2—The Data Link/Network Interface Layer. This is the networkdevice as the host, or local computer, sees it and it is through thismedium that the data is passed to layer 1. Adds, via protocols such asLogical Link Control (LLC) or Media Access Control (MAC), the specificcode necessary to take packets of data on their way using informationfrom layer 3. For example, if a network standard requires that each datapacket begin with a string of specific binary digits, they are added atlayer 2.

Layer 1—The Physical Layer. This is literally the Ethernet or SerialLine Interface Protocol (SLIP) itself. Defines the physical interfacenecessary to get communication information from point A to point B, andit includes various LAN and WAN specifications.

At the receiving host the layers are stripped one at a time, and theirinformation is passed to the next highest level until it again reachesthe application level. If a gateway exists between the initiating andreceiving hosts, the gateway takes the packet from the physical layer,passes it through a data link to the IP physical layer to continue. As amessage is sent from the first host to the second, gateways pass thepacket along by stripping off lower layers, readdressing the lowerlayer, and then passing the packet toward its final destination.

A router, like a bridge, is a device connected to two or more networks.Unlike a bridge, however, a router operates at the network layer level,instead of the data link layer level. Addressing at the network layerlevel makes use of a 32-bit address field for each host, and the addressfield includes a unique network identifier and a host identifier withinthe network. Routers make use of the destination network identifier in amessage to determine an optimum path from the source network to thedestination network. Various routing algorithms may be used by routersto determine the optimum paths. Typically, routers exchange informationabout the identities of the networks to which they are connected.

When a message reaches its destination network, a data link layeraddress is needed to complete forwarding to the destination host. Datalink layer addresses are 48 bits long and no two hosts, whereverlocated, have the same data link layer address. There is a protocolcalled ARP (address resolution protocol), which obtains a data linklayer address from the corresponding network layer address (the addressthat IP uses). Typically, each router maintains a database table fromwhich it can look up the data link layer address, but if a destinationhost is not in this ARP database, the router can transmit an ARPrequest. Only the addressed destination host responds, and the router isthen able to insert the correct data link layer address into the messagebeing forwarded, and to transmit the message to its final destination.

IP routing specifies that IP datagrams travel through internetworks onestep at a time based on the destination address in the IP header. Theentire route is not known at the outset of the journey. Instead, at eachstop, the next destination is calculated by matching the destinationaddress within the datagram's IP header with an entry in the currentnode's routing table.

Each node's involvement in the routing process consists only offorwarding packets based on internal information resident in the router,regardless of whether the packets get to their final destination. Toextend this explanation a step further, IP routing does not alter theoriginal datagram. In particular, the datagram source and destinationaddresses remain unaltered. The IP header always specifies the IPaddress of the original source and the IP address of the ultimatedestination.

When IP executes the routing algorithm it computes a new address, the IPaddress of the device to which the datagram should be sent next. Thisalgorithm uses the information from the routing table entries, as wellas any cached information local to the router. This new address is mostlikely the address of another router/gateway. If the datagram can bedelivered directly, the new address will be the same as the destinationaddress in the IP header.

The next address defined by the method above is not stored in the IPdatagram. There is no reserved space to hold it and it is not “stored”at all. After executing the routing algorithm to define the next stepaddress to the final destination. The IP protocol software passes thedatagram and the next step address to the network interface softwareresponsible for the physical network over which the datagram must now besent.

The network interface software binds the next step address to a physicaladdress, forms a packet using the physical address, places the datagramin the data portion of the packet, and sends the result out over thephysical network interface through which the next step gateway isreached. The next gateway receives the datagram and the foregoingprocess is repeated. In addition, the IP does not provide for errorreporting back to the source when routing anomalies occur. This task isleft to another Internet protocol, the Internet Control Message Protocol(ICMP).

A router will perform protocol translation. One example is at layers 1and 2. If the datagram arrives via an Ethernet interface and is destinedto exit on a serial line, for example, the router will strip off theEthernet header and trailer, and substitute the appropriate header andtrailer for the specific network media, such as SMDS, by way of example.

A route policy may be used instead of routing table entries to derivethe next step address. In the system and methodology of the presentinvention, the source address is tested to see in which ISP addressrange it falls. Once the ISP address range is determined the packet isthen routed to the next step address associated with the specific ISP.

It must be noted, however, that routing wireless networks at connectionnodes is the most efficient means of passing Internet data. One aspectof the present wireless provisioning device is to provide routing ateach node connection point. This provides for a stronger network andprovides flexibility in network design. This flexibility allows forbetter network traffic management and improves the overall bandwidth byreducing network latency through optimization of routes and data packetmanagement. Although the wireless provisioning device is capable ofbridging, it will be the determination of the network engineer toestablish the wireless provisioning device as a bridge to the network ora router to the network. This feature gives the network engineer moreflexibility to determine the network design. Furthermore, the flexiblenature of the equipment allows the user to change a leaf node thatbridges into a major backbone node that routes through the use of codemodification without the need to reboot.

Subsequently, as a node begins to grow, the network engineer can upgradethat node to fit the needs of the network without harming existingcustomers. By inserting the cards in the slots of a chassis thatcontains open-source code, preferably LINUX, as its operating system(OS), the wireless provisioning device can be configured as a router ora bridge. The routing module of LINUX is not a portion of the mainoperating kernel. Being a subcomponent of the OS, the routing module canbe upgraded and modified without rebooting the system. A reboot of anadvanced LINUX box may take up to 30 minutes to complete. The upgrade ofa routing module in LINUX takes less than 2 seconds to reinitialize.This reinitialization is transparent to the customers attached to thisbox. The routing module is replaceable by a bridge module if routing isnot necessary for the connection node. Routing at the connection pointallows for the filtering of IP addresses for either all of the customersattached to that node or for an individual IP address attached to thatnode. Furthermore, the routing module contains routing logic capable ofbandwidth shaping. This process only allows certain volumes of data tobe transmitted to and/or from a certain customer IP address.

The present invention furthers the art with the addition of more accesspoints. By providing a flexible configuration of preferably eight ports,the wireless provisioning device may contain up to seven wirelessconnections and one wired connection, or seven wired connections and onewireless connection, or any combination as seen fit for the network.This reduces overall cost and decreases space requirements. By placingthis system on a faster chip set, the equipment effectively processesmore data from the same point. Furthermore, this feature allows theexpansion of the system to develop from an outlying leaf node withlittle usage to a major backbone node with multiple redundancy withoutaffecting existing customers. The user can also increase the number ofpotential customers to the connection point in the network by addingcards and antennas without the need for chassis changes. Because thephysical configuration of the system resides in the chassis of apersonal computer with preferably eight possible network slots, thewireless provisioning device can be configured with differing numbers ofwireless cards and network cards. The chassis may contain up to twoprocessors. Running the LINUX operating system the single or dualprocessor configuration allows for hefty data management. This processorconfiguration and extensive amounts of random access memory allows theoperating system to handle extensively more information than thetraditional wireless connection points.

The provisioning device, in accordance with the present invention, alsoaddresses the security of wireless equipment. Using a secure shelltelnet connection to the wireless provisioning device, message trafficand administrative information cannot be sniffed by other users on thenetwork. Due to this feature, public domain wireless equipment can bemade available. This feature uses a more universal management scheme oftelnet. Thus the administrator may write interface Graphical UserInterfaces (GUIs) or can control the node through the use of a plaintext command line screen. Connection to these nodes can be limited toauthorized IP addresses and domain names, reducing the chances ofunauthorized network entries. Presently, wireless equipment use SimpleNetwork Management Protocol Version 1 (SNMPV-1) protocol for themanagement of the connection device. SNMPV-1 is limited to text messagetraffic. Any connection made to this connection point is on the samelogical segment as those that are doing administrative work to theconnection device. In every network solution logical segments containall the information that is passed within that segment. Sniffing trafficon that logical segment has long been known to be a problem withinnetworking circles. SNMPV-6 protocol is the typical solution to thisproblem while using SNMP protocol. However SNMPV-6 is a processorintense protocol providing for extensive network overhead. By using asecure telnet connection the network overhead is reduced whileincreasing the security of the system. A secure telnet connection onlyallows certain IPs to connect to certain dataports. This limitedconnection structure effectively creates different logical segmentswithin the same physical network segment. The newly created logicalsegment prevents the sniffing of administrative traffic by the commonuser.

In a preferred embodiment of the present wireless provisioning device,limited static MAC addressing is replaced by or coupled with radiusauthentication. The radius authentication can be tied to the MACaddressing in conjunction with a user name and password. This method ofauthentication greatly reduces the chances of service theft and allowsthe user a mobile solution between cells. Furthermore this feature lendsitself to a directory service method that will allow a more customizedinterface for the user. Using IP filtering, authorization levels andenterprise user management the wireless provision router with directoryservice will control bandwidth consumption, and provide a more customservice to the user. Without radius authentication, users are connectedto the network without any control from a central server. By providingradius authentication one server controls the ability of the user toenter certain parts of the network.

The present invention, in multiple embodiments, provides firewall andproxy service. The wireless provisioning device can provide both ofthese services at the user's termination point. These services willprovide an added layer of protection to the user without the need forsecurity management. Furthermore the proxy nature will provide for IPtranslation and allow users to maintain networks behind the entry pointto the net.

Wireless provisioning devices, in accordance with the present invention,provide connections from both single personal computer cards and fromother wireless provisioning devices. Therefore the same wireless WAN maycontain single users and large LANs. In conventional wireless equipmentconfigurations, the user must choose to provide service to either thepersonal computer containing the cards or to a wireless connectionbridge. Commercial users would then select to use a wireless connectionbridge while a residential user would choose to use a personal computer.Without the wireless provisioning device, two separate wirelessinfrastructures would have to be erected to satisfy all types ofcustomers. The wireless provisioning device allows the user to connectto the wireless infrastructure using either an individual personalcomputer or another wireless provisioning device. As a result, onewireless infrastructure may be erected while satisfying all potentialcustomer types.

It will be readily understood that the components of the presentinvention, as generally described and illustrated in the Figures herein,could be arranged and designed in a wide variety of differentconfigurations. Thus, the following more detailed description of theembodiments of the system and method of the present invention, asrepresented in FIGS. 1 through 3, is not intended to limit the scope ofthe invention, as claimed, but it is merely representative of thepresently preferred embodiments of the invention.

The presently preferred embodiments of the invention will be bestunderstood by reference to the drawings of FIGS. 1-3, wherein like partsare designated by like numerals throughout.

In general terms, FIGS. 1-3 show a self-standing wireless system.Referring now to FIG. 3, connected to the wireless cloud 300 one readilynotes a border router 310 at each connection point. In a preferredembodiment of the present invention, the border router 310 is a typicalwired router. Connected to one layer of the cloud 300 is a directoryservices member 320. This device may be configured to control theobjects to which all client side computers conduct authentication. Thecloud 300 connected to the tower 330 passes through a wireless router340. This router 340 serves as both a router and a Dynamic HostConfiguration Protocol (DHCP) server. All further connections on thetower also use wireless routers to connect to the central wirelessrouter.

Each time a wireless router 340 is located on a tower 330 that routeracts as its own DHCP server. A predetermined set of IP addresses areassigned to that tower 330. All DHCP authentication returns to theDirectory services member 320 to validate login. At large usagelocations such as factories 350 a wireless router 340 is placed at theoutput connection point 360. This wireless router 340 serves as aninternal router for all equipment within the facility and as a borderrouter for the location. A wireless router 340 is only needed by thoseclients that have a large number of computers connected to the wirelessnetwork. Home users and small businesses 370 that have one or two PCs380 that can connect directly back to the wireless router 340 on thetower 330. Furthermore, small computer users may bridge back to thetower 330 and then not get routed until they reach the border router 310at the outlet to the Internet cloud 300.

Referring specifically to FIG. 1, an exemplary embodiment of a wirelessprovisioning device in accordance with the present invention maycomprise a chassis 100 suitably configured with a UNIX based operatingsystem 110 such as a LINUX operating system running on an Intel basedCPU 120. The 2.4 Ghz wireless cards 130 are constructed with typicalPCM/CIA connectors 140. That connector is adapted to the PC busstructure 150 through a PCM/CIA to PCI adapter. The bus interface to thePC is all PCI. Information enters and exits the wireless cards throughthe PCI bus into the TCP stack (not shown) of the LINUX OS 110. The TCPstack on the LINUX OS is configured in a manner to either redirect ortransmit the data through the appropriate interface. In many cases datawill enter into the wireless provision device through the 10/100 NetworkInterface Card (NIC) 160 through standard wired IP methods 170. Once theinformation enters through the wired connection 170 the TCP stackconfiguration in the LINUX stack module will direct the traffic out theappropriate connection. The LINUX TCP stack configuration optimizes thenetwork data traffic flow.

Referring now, principally, to FIG. 2, a typical configuration for a 2.4Ghz bridge 200 is either 1 or 2 wireless cards 210 with PCM/CIAconnectors 220. These cards 210 connect to the bridge bus through thePCM/CIA connections 230. The output from the wireless bridge 200 iseither the 10/100 ethernet or the other wireless card 210. The wirelesscards 210 have an adapter 240 for increased antenna gain. Theseconnectors go to a lightning arrestor device 250 to prevent damage fromlightning strikes. These lightning arrestors 250 connect to special lowloss antenna cables 260. The low loss antenna cables 260 then connect toincreased gain antennae of varying global patterns and strength. In someevents these antennae require splitters 270 and amplifiers 280 tooptimize globe patterns for the area.

An apparatus and system according to the invention works well in a widevariety of cases and does not inhibit or impact future enhancements tonetwork protocols and operating systems. To assure that operations atthe application and transport levels do become aware of changes ofaddress promptly, the apparatus and system may eliminate the prospect ofa single point of failure, eliminate or reduce sub-optimal routing forall applications, provide improved security to protect communicationover wireless media, and allow users to switch network adapter cardswhile preserving all connections, such as software applications andnetwork administration, transparently to the user.

The present invention may be embodied in other specific forms withoutdeparting from its spirit or essential characteristics. The describedembodiments are to be considered in all respects only as illustrative,and not restrictive. The scope of the invention is, therefore, indicatedby the appended claims, rather than by the foregoing description. Allchanges which come within the meaning and range of equivalency of theclaims are to be embraced within their scope.

1. A wireless provisioning device for use in public domain networkswherein the wireless provisioning device is accessible by a user ofmobile computing devices, comprising: a chassis; at least one networkcard; at least one wireless card; at least one processor; an operatingsystem, the operating system operably configured in the chassis tocontrol the at least one, network card, the at least one wireless cardand the at least one processor, which are operatively coupled with thechassis; a packet-switched interface capable of receiving a multiplicityof inbound framed packet-data to provide inbound packets andtransmitting a multiplicity of outbound framed packet-data comprisingoutbound packets; a channeling controller, coupled to thepacket-switched interface that channels the inbound packets based on theinbound address information and constructs the outbound packets andchannels the outbound packets with the outbound address information, thechanneling controller capable of being effectively connected to at leastone network via the operating system; and an authenticator in operativecommunication with the operating system to allow authentication at thewireless provisioning device; whereby the user of a mobile computingdevice connects to the wireless provisioning device without having tofirst access the Internet.
 2. The wireless provisioning device of claim1, wherein the channeling controller routes the outbound packets.
 3. Thewireless provisioning device of claim 2, wherein the channelingcontroller routes the outbound packets.
 4. The wireless provisioningdevice of claim 1, wherein the channeling controller bridges the inboundpackets.
 5. The wireless provisioning device of claim 4, wherein thechanneling controller bridges the outbound packets.
 6. The wirelessprovisioning device of claim 1, wherein the operating system of thewireless provisioning device is an open source UNIX based system.
 7. Thewireless provisioning device of claim 1, wherein the wirelessprovisioning device further comprises a second processor.
 8. Thewireless provisioning device of claim 1, wherein the wirelessprovisioning device further comprises a memory device and a storagedevice.
 9. The wireless provisioning device of claim 1, wherein thenetwork card, the wireless cord, the processor, the operating system,the packet-switched interface, and the channel controller areoperatively disposed within the chassis of the wireless provisioningdevice.
 10. The wireless provision device of claim 9, wherein theauthenticator is operatively disposed within the chassis of the wirelessprovisioning device.
 11. The wireless provisioning device of claim 1,wherein bandwidth to individual user can be controlled by the wirelessprovisioning device operating system.
 12. The wireless provisioningdevice of claim 1, wherein the protocol type of an individual user conbe controlled by the wireless provisioning device operating system. 13.A wireless provisioning device, comprising: a chassis; at least onenetwork card; at least one wireless card; at least one processor; aLINUX operating system, the operating system operably configured in thechassis to control the at least one network card, the at least onewireless card and the at least one processor; a packet-switchedinterface capable of receiving a multiplicity of inbound framedpacket-data to provide inbound packets and transmitting a multiplicityof outbound framed packet-data comprising outbound packets; a channelingcontroller, coupled to the packet-switched interface that channels theinbound packets based on the inbound address information and thatconstructs the outbound packets and channels the outbound packets withthe outbound address information, the channeling controller capable ofbeing effectively connected to at least one network via the operatingsystem.
 14. A system for allowing users to securely access public domainarea networks via mobile computing devices, comprising: a plurality ofwireless access points; at least one wireless provisioning device forreceiving, authenticating, transmitting, and directing data over aplurality of networks and capable of sustaining connectivity between thewireless access points and the wireless provisioning device, thewireless provisioning device comprising a chassis, at least one networkcard, at least one wireless card, at least one processor, and at leastone operating system operably configured in the chassis and associatedwith at least one of the plurality of wireless access points fortransmitting and receiving data between the wireless access point and acarrier structure and where the wireless provisioning device is capableof accommodating multiple connections back to the wireless access pointwithout requiring rebooting before a new rooming member can be added tothe system; a carrier structure communicably positioned between thewireless provisioning device and the plurality of wireless access pointsfor transmitting and receiving data between the wireless provisioningdevice and the plurality of wireless access points by means of a secureconnections; and a security authentication protocol, initiated by thewireless provisioning device, capable of authenticating traffic as itpasses through the carrier structure.
 15. A system for allowing users tosecurely access public domain area networks via mobile computingdevices, comprising: a plurality of wireless access points; at least onewireless provisioning device for receiving, authenticating,transmitting, and directing data over a plurality of networks andcapable of sustaining connectivity between the wireless access pointsand the wireless provisioning device, the wireless provisioning devicecomprising a chassis, at least one network card, at least one wirelesscard, at least one processor, and at least one operating system operablyconfigured in the chassis and associated with at least one of theplurality of wireless access points for transmitting and receiving databetween the wireless access point and a carrier structure and where thewireless provisioning device is capable of accommodating multipleconnections back to the wireless access point without requiringrebooting before a new rooming member can be added to the system, thewireless provisioning device further comprises a directory servicesmember operatively connected to the operating system thereof, which issuitable for maintaining a database directory that stores MAC addressesand billing profiles for those in the system; a carrier structurecommunicably positioned between the wireless provisioning device and theplurality of wireless access points for transmitting and receiving databetween the wireless provisioning device and the plurality of wirelessaccess points by means of a secure connections; and a securityauthentication protocol, initiated by the wireless provisioning device,capable of authenticating traffic as it posses through the carrierstructure.
 16. The system of claim 15, wherein the wireless provisioningdevice is capable of bridging.
 17. The system of claim 16, wherein thewireless provisioning device is capable of routing.
 18. The system ofclaim 15, wherein the carrier structure is a suitable antenna forproviding bridging solutions that afford the user the ability to placewireless equipment in a wide area network.
 19. The system of claim 15,wherein the security authentication protocol is a radius authenticationprotocol.
 20. The system of claim 15, wherein the wireless provisioningdevice provides proxy service.
 21. The system of claim 15, wherein thewireless provisioning device provides firewall service.
 22. The systemof claim 15, wherein the system comprises at least one antenna, aplurality of wireless access points; at least one wireless provisioningdevice for receiving, authenticating, transmitting, and directing dataover a plurality of networks and capable of sustaining connectivitybetween the wireless access points and the wireless provisioning device,the wireless provisioning device comprising a chassis, at least onenetwork card, at least one wireless card, at least one processor, and atleast one operating system operably configured in the chassis andassociated with at least one of the plurality of wireless access pointsfor transmitting and receiving data between the wireless access pointand a carrier structure and where the wireless provisioning device iscapable of accommodating multiple connections back to the wirelessaccess point without requiring rebooting before a new roaming member canbe added to the system, the wireless provisioning device furthercomprises a directory services member operatively connected to theoperating system thereof, which is suitable for maintaining a databasedirectory that stores MAC addresses and billing profiles for those inthe system; a carrier structure communicably positioned between thewireless provisioning device and the plurality of wireless access pointsfor transmitting and receiving data between the wireless provisioningdevice and the plurality of wireless access points by means of a secureconnections; and a security authentication protocol, initiated by thewireless provisioning device, capable of authenticating traffic as itpasses through the carrier structure.
 23. The system of claim 22,wherein there is more than one antenna and the user is capable oflogging on and sustain connectivity with the system while transitioningantennas.
 24. The system of claim 22, wherein the user is capable oflogging onto and sustaining connectivity with the system whiletransitioning access points.
 25. The system of claim 15, wherein theoperating system of the wireless provisioning device is an open sourceUnix base system.
 26. A system, comprising: a plurality of wirelessaccess points; at least one wireless provisioning device for receiving,transmitting, and directing data over a plurality of networks andcapable of sustaining connectivity between the wireless access pointsand the wireless provisioning device, the wireless provisioning devicecomprising a chassis, at least one network card, at least one wirelesscard, at least one processor, and at least one operating system operablyconfigured in the chassis and associated with at least one of theplurality of wireless access points for transmitting and receiving databetween the wireless access point and a carrier structure and where thewireless provisioning device is capable of accommodating multipleconnections back to the wireless access point without requiringrebooting before a new roaming member can be added to the system, thewireless provisioning device further comprises a directory servicesmember operatively connected to the operating system thereof, which issuitable for maintaining a database directory that stores MAC addressesand billing profiles for those in the system; a carrier structurecommunicably positioned between the wireless provisioning device and theplurality of wireless access points for transmitting and receiving databetween the wireless provisioning device and the plurality of wirelessaccess points by means of a secure shell telnet connection; and asecurity authentication protocol capable of authenticating traffic as itpasses through the carrier structure.
 27. A system for allowing users tosecurely access public domain area networks via mobile computingdevices, comprising: a plurality of wireless access points; at least onewireless provisioning device for receiving, authenticating,transmitting, and directing data over a plurality of networks andcapable of sustaining connectivity between the wireless access pointsand the wireless provisioning device, the wireless provisioning devicecomprising a chassis, at least one network card, at least one wirelesscard, at least one processor, and at least one operating system operablyconfigured in the chassis and associated with at least one of theplurality of wireless access points for transmitting and receiving databetween the wireless access point and a carrier structure and where thewireless provisioning device is capable of accommodating multipleconnections back to the wireless access point without requiringrebooting before a new roaming member can be added to the system; a 2.4GHz antenna operatively coupled with the wireless provisioning device; acarrier structure communicably positioned between the wirelessprovisioning device and the plurality of wireless access points fortransmitting and receiving data between the wireless provisioning deviceand the plurality of wireless access points by means of a secureconnections; and a security authentication protocol, initiated by thewireless provisioning device, capable of authenticating traffic as itposses through the carrier structure.
 28. A system, comprising: aplurality of wireless access points; at least one wireless provisioningdevice for receiving, transmitting, and directing data over a pluralityof networks and capable of sustaining connectivity between the wirelessaccess points and the wireless provisioning device, the wirelessprovisioning device comprising a chassis, at least one network card, atleast one wireless card, at least one processor, and at least one LINUXoperating system operably configured in the chassis and associated withat least one of the plurality of wireless access points for transmittingand receiving data between the wireless access point and a carrierstructure and where the wireless provisioning device is capable ofaccommodating multiple connections back to the wireless access pointwithout requiring rebooting before a new roaming member can be added tothe system, the wireless provisioning device further comprises adirectory services member operatively connected to the operating systemthereof, which is suitable for maintaining a database directory thatstores MAC addresses and billing profiles for those in the system; acarrier structure communicably positioned between the wirelessprovisioning device and the plurality of wireless access points fortransmitting and receiving data between the wireless provisioning deviceand the plurality of wireless access points by means of a secureconnections; and a security authentication protocol capable ofauthenticating traffic as it passes through the carrier structure. 29.The wireless provisioning device of claim 28, wherein the network card,the wireless card, the processor, the operating system, thepacket-switched interface, and the channel controller are operativelydisposed within the chassis of the wireless provisioning device.
 30. Thewireless provision device of claim 29, wherein the authenticator isoperatively disposed within the chassis of the wireless provisioning adevice.
 31. The wireless provisioning device of claim 28, whereinbandwidth to individual user can be controlled by the wirelessprovisioning device operating system.
 32. The wireless provisioningdevice of claim 28, wherein the protocol type of an individual user canbe controlled by the wireless provisioning device operating system.